US9379912B2ActiveUtilityA1

Mitigating email SPAM attacks

44
Assignee: WOOD STEPHENPriority: Dec 8, 2010Filed: Dec 8, 2010Granted: Jun 28, 2016
Est. expiryDec 8, 2030(~4.4 yrs left)· nominal 20-yr term from priority
Inventors:Stephen Wood
H04L 51/12H04L 12/585H04L 2101/37H04L 51/212H04L 61/3015H04L 51/42
44
PatentIndex Score
0
Cited by
9
References
16
Claims

Abstract

The present disclosure relates to mitigating email spam attacks. A gateway is configured to receive mail from one or more mail systems. If mail is intended for delivery to an invalid address, the gateway can generate status messages for delivery to the mail systems or determine if a threshold for delivery attempts to the invalid address has been met. If the threshold has been met, the gateway can request creation of a honeypot email address, and future mail intended for delivery to the invalid address are delivered to a mailbox associated with the honeypot email address. Various actions can be taken with respect to the mail delivered to the honeypot email address including analysis, blacklisting of senders, and/or other actions.

Claims

exact text as granted — not AI-modified
I claim: 
     
       1. A method comprising:
 receiving, at a gateway comprising a processor and from a mail system, an email message; 
 determining, by the gateway and based upon an analysis of the email message, destination addresses associated with the email message, wherein the destination addresses include a recipient email address; 
 accessing, by the gateway, user data that comprises a list of email addresses associated with an internet service provider, wherein the list of email addresses comprises valid email addresses, expired email addresses, and invalid email addresses; 
 querying, by the gateway, the user data to determine if the recipient email address is valid; and 
 in response to a determination that the recipient email address is invalid
 determining, by the gateway and based upon a configuration file, a number of times delivery of email messages to the recipient email address has been attempted, 
 determining, by the gateway, if the number of times meets a delivery attempt threshold associated with the recipient email address, the delivery attempt threshold comprising a number of message delivery attempts within a specified time period, 
 in response to a determination that the number of times meets the delivery attempt threshold, requesting, by the gateway, creation of a honeypot email address comprising the recipient email address, 
 receiving, by the gateway, a further email message that is addressed to the recipient email address, and 
 delivering, by the gateway, the further email message to a mailbox associated with the honeypot email address, whereby a sender of the further email message is not informed that the recipient email address is invalid. 
 
 
     
     
       2. The method of  claim 1 , further comprising storing data identifying the honeypot email address at a data storage location accessible by the gateway. 
     
     
       3. The method of  claim 1 , further comprising:
 analyzing the further email message delivered to the mailbox associated with the honeypot email address to determine content of the further email message; and 
 determining that the further email message comprises a spam message based upon the content determined. 
 
     
     
       4. The method of  claim 1 , further comprising:
 analyzing the further email message delivered to the mailbox associated with the honeypot email address; and 
 updating a spam filter to include data identifying the sender of the further email message. 
 
     
     
       5. The method of  claim 1 , further comprising:
 analyzing the further email message delivered to the mailbox associated with the honeypot email address to determine content of the further email message; and 
 updating a spam filter to include data corresponding to the content. 
 
     
     
       6. The method of  claim 3 , wherein the honeypot email address comprises a domain name associated with the internet service provider, and wherein an email address of the sender comprises the domain name. 
     
     
       7. The method of  claim 1 , further comprising:
 scanning the mailbox associated with the honeypot email address; 
 counting a number of email messages deposited in the mailbox; 
 determining, based partially upon the number of email messages, a filtration rate for spam messages. 
 
     
     
       8. The method of  claim 7 , wherein the filtration rate is used to measure effectiveness of spam filtration. 
     
     
       9. A computer storage medium having computer-executable instructions stored thereon that, when executed by a processor, cause the processor to perform operations comprising:
 receiving, from a mail system, an email message; 
 determining, based upon an analysis of the email message, destination addresses associated with the email message, wherein the destination addresses include a recipient email address; 
 accessing user data that comprises a list of email addresses associated with an internet service provider, wherein the list of email addresses comprises valid email addresses, expired email addresses, and invalid email addresses; 
 querying the user data to determine if the recipient email address is valid; 
 in response to a determination that the recipient email address is invalid
 determining, based upon a configuration file, a number of times delivery of email messages to the recipient email address has been attempted, 
 determining if the number of times meets a delivery attempt threshold associated with the recipient email address, the delivery attempt threshold comprising a number of message delivery attempts within a specified time period, 
 in response to a determination that the number of times meets the delivery attempt threshold, requesting creation of a honeypot email address comprising the recipient email address; 
 
 receiving a further email message that is addressed to the recipient email address; and 
 delivering the further email message to a mailbox associated with the honeypot email address, whereby a sender of the further email message is not informed that the recipient email address is invalid. 
 
     
     
       10. The computer storage medium of  claim 9 , wherein the computer-executable instructions, when executed by the processor, cause the processor to perform operations comprising:
 analyzing the further email message delivered to the mailbox associated with the honeypot email address to identify content of the further email message; and 
 determining that the further email message comprises a spam message based upon the content identified. 
 
     
     
       11. The computer storage medium of  claim 9 , wherein the computer-executable instructions, when executed by the processor, cause the processor to perform operations further comprising:
 scanning the mailbox associated with the honeypot email address; 
 counting a number of email messages deposited in the mailbox; 
 determining, based partially upon the number of email messages, a filtration rate for spam messages. 
 
     
     
       12. The computer storage medium of  claim 11 , wherein the filtration rate is used to measure effectiveness of spam filtration. 
     
     
       13. A system comprising:
 a processor; and 
 a memory that stores computer-executable instructions that, when executed by the processor, cause the processor to perform operations comprising
 receiving, from a mail system, an email message, 
 determining, based upon an analysis of the email message, destination addresses associated with the email message, wherein the destination addresses include a recipient email address, 
 accessing user data that comprises a list of email addresses associated with an internet service provider, wherein the list of email addresses comprises valid email addresses, expired email addresses, and invalid email addresses, 
 querying the user data to determine if the recipient email address is valid, 
 in response to a determination that the recipient email address is invalid
 determining, based upon a configuration file, a number of times delivery of email messages to the recipient email address has been attempted, 
 determining if the number of times meets a delivery attempt threshold associated with the recipient email address, the delivery attempt threshold comprising a number of message delivery attempts within a specified time period, 
 in response to a determination that the number of times meets the delivery attempt threshold, requesting creation of a honeypot email address comprising the recipient email address, 
 
 receiving a further email message that is addressed to the recipient email address, and 
 delivering the further email message to a mailbox associated with the honeypot email address, whereby a sender of the further email message is not informed that the recipient email address is invalid. 
 
 
     
     
       14. The system of  claim 13 , wherein the computer-executable instructions, when executed by the processor, cause the processor to perform operations further comprising:
 analyzing the further email message delivered to the mailbox associated with the honeypot email address to identify content of the further email message; and 
 determining that the further email message comprises a spam message based upon the content identified. 
 
     
     
       15. The system of  claim 13 , wherein the computer-executable instructions, when executed by the processor, cause the processor to perform operations further comprising:
 scanning the mailbox associated with the honeypot email address; 
 counting a number of email messages deposited in the mailbox; 
 determining, based partially upon the number of email messages, a filtration rate for spam messages. 
 
     
     
       16. The system of  claim 15 , wherein the filtration rate is used to measure effectiveness of spam filtration.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.